Rob Richard‘s XML Security implementation provided the impetus I needed to get a ‘pure’ PHP SAML 2.0 SP working. Rob kindly allowed me to adopt the XML Security code into OpenSSO (note that the base XML security code is still, and will continue to be, available, in its original public domain form, at Rob’s page) and I set forth hacking away.

Well – I’m done with an initial version. SAML 2.0 POST profile works. There is no artifact profile, no single log out, no bells or whistles. It does verify the assertion signature (via PHP’s integration with openssl) and checks that the certificate fingerprint matches what it expects from that identity provider.